Security behaviour change requires a clear vision as well as a coordinated strategy to ensure that interventions are consistent, practical and meaningful.
Before embarking on a change programme, however big or small, it is critical that an organisation is clear on the following:
- The objectives of the change (i.e. the vision or strategy)
- The size and scale of the change (i.e. the gap between where the organisation is now and where it wants to be)
- The actions to implement the change (i.e. the interventions)
- The organisation is ready for the change (i.e. it has the necessary time, resources and buy-in)
- How to communicate the change to the target audience and other key stakeholders (i.e. the communications strategy)
- How to review and evaluate the impact of the change (i.e. the measures of success and key performance indicators)
There is no one right way to deliver change. A bespoke approach, suited to the particular needs and requirements of your organisation will ultimately work best.
CPNI has developed the 5 E’s approach to organisational behaviour change. This provides some overarching principles that organisations are advised to follow when developing a security change programme, drawing on latest behaviour change theory.
Listed below are CPNI's off-the-shelf security behaviour change campaigns and guidance documents that you are welcome to use for free.
Embedding security savvy behaviours in the workplace
Embedding vigilance behaviours when entering or leaving a site
Embedding security savvy behaviours online
Raising awareness of phishing and spear-phishing
Guidance on providing security information during the first 12 months of the employee lifecycle
Advice to help managers recognise the important role they play in developing a good security culture
Raising awareness of threats on social media and professional networking sites